History log of /netbsd-current/crypto/dist/ipsec-tools/src/racoon/admin.c
Revision (<<< Hide revision tags) (Show revision tags >>>) Date Author Comments
Revision tags: pgoyette-compat-20190127 pgoyette-compat-20190118 pgoyette-compat-1226 pgoyette-compat-1126 pgoyette-compat-1020 pgoyette-compat-0930 pgoyette-compat-0906 pgoyette-compat-0728 phil-wifi-base pgoyette-compat-0625 pgoyette-compat-0521
# 1.41 19-May-2018 maxv

Use strict prototypes, when they don't introduce more warnings than they fix.
Also localify a few functions.


# 1.40 19-May-2018 maxv

Remove unused variables.


Revision tags: netbsd-7-2-RELEASE netbsd-8-0-RELEASE netbsd-8-0-RC2 pgoyette-compat-0502 pgoyette-compat-0422 netbsd-8-0-RC1 pgoyette-compat-0415 pgoyette-compat-0407 pgoyette-compat-0330 pgoyette-compat-0322 pgoyette-compat-0315 netbsd-7-1-2-RELEASE pgoyette-compat-base netbsd-7-1-1-RELEASE matt-nb8-mediatek-base perseant-stdc-iso10646-base netbsd-8-base prg-localcount2-base3 prg-localcount2-base2 prg-localcount2-base1 prg-localcount2-base pgoyette-localcount-20170426 bouyer-socketcan-base1 pgoyette-localcount-20170320 netbsd-7-1-RELEASE netbsd-7-1-RC2 netbsd-7-nhusb-base-20170116 bouyer-socketcan-base pgoyette-localcount-20170107 netbsd-7-1-RC1 pgoyette-localcount-20161104 netbsd-7-0-2-RELEASE localcount-20160914 netbsd-7-nhusb-base pgoyette-localcount-20160806 pgoyette-localcount-20160726 pgoyette-localcount-base netbsd-7-0-1-RELEASE netbsd-7-0-RELEASE netbsd-7-0-RC3 netbsd-7-0-RC2 netbsd-7-0-RC1 netbsd-7-base yamt-pagecache-base9 tls-earlyentropy-base riastradh-xf86-video-intel-2-7-1-pre-2-21-15 riastradh-drm2-base3 riastradh-drm2-base2 riastradh-drm2-base1 riastradh-drm2-base tls-maxphys-base
# 1.39 03-Jun-2013 tteras

branches: 1.39.26;
From Alexander Sbitnev <alexander.sbitnev@gmail.com>: fix admin port
establish-sa for tunnel mode SAs.


Revision tags: netbsd-6-0-6-RELEASE netbsd-6-1-5-RELEASE yamt-pagecache-tag8 netbsd-6-1-4-RELEASE netbsd-6-0-5-RELEASE netbsd-6-1-3-RELEASE netbsd-6-0-4-RELEASE netbsd-6-1-2-RELEASE netbsd-6-0-3-RELEASE netbsd-6-1-1-RELEASE netbsd-6-0-2-RELEASE netbsd-6-1-RELEASE netbsd-6-1-RC4 netbsd-6-1-RC3 agc-symver-base netbsd-6-1-RC2 netbsd-6-1-RC1 yamt-pagecache-base8 ipsec-tools-0_8_1 netbsd-6-0-1-RELEASE yamt-pagecache-base7 matt-nb6-plus-nbase yamt-pagecache-base6 netbsd-6-0-RELEASE netbsd-6-0-RC2 matt-nb6-plus-base netbsd-6-0-RC1 yamt-pagecache-base5 yamt-pagecache-base4 netbsd-6-base yamt-pagecache-base3 yamt-pagecache-base2 yamt-pagecache-base cherry-xenmp-base ipsec-tools-0_8_0 bouyer-quota2-nbase bouyer-quota2-base matt-mips64-premerge-20101231
# 1.38 08-Dec-2010 tteras

branches: 1.38.4; 1.38.8; 1.38.14;
Use separate SA addresses for phase2's created by admin command. The
phase2 startup overwrites src/dst with ISAKMP ports if they are zero
and we don't want that to happen for the SA ports.


# 1.37 12-Nov-2010 tteras

isakmp_post_acquire is now called from admin commands too, add a flag so
admin commands can be used to establish even passive links on demand.


# 1.36 12-Nov-2010 tteras

Extern admin protocol to allow reply packets to exceed 64kb. E.g SA dumps
with many established SAs can be easily over the limit.


# 1.35 21-Oct-2010 tteras

Introduce priorities for file descriptor polling mechanism and give
priority to admin port. If admin port is used by ISAKMP-SA hook scripts
they should be preferred, other wise heavy traffic can delay admin port
requests considerably. This in turn may cause renegotiation loop for
ISAKMP-SA. This is mostly useful for OpenNHRP setup, but can benefit
other setups too.


# 1.34 21-Oct-2010 tteras

Remove initial-contact entry when all ISAKMP-SA are purged via adminport.
This will avoid stale security associations if some of the delete
notifications happens to get lost.


# 1.33 22-Sep-2010 vanhu

get the correct length of username when processing ADMIN_LOGOUT_USER, patch by rweikusat (at) mssgmbh.com


Revision tags: matt-premerge-20091211
# 1.32 03-Sep-2009 tteras

When rekeying phase2 use phase1 used to negotiate phase2 as a hint to
select the phase1 for rekeying the new phase2.


# 1.31 03-Jul-2009 tteras

Get rid of the evil CMPSADDR macro. Trac #295.


Revision tags: jym-xensuspend-nbase jym-xensuspend-base
# 1.30 20-Apr-2009 tteras

Originally from Bin Li: Fix a crash with racoonctl logout user.


# 1.29 12-Mar-2009 tteras

Support multiple anonymous remotes and decide remoteconf based on identity,
received certificates and other information. General code clean up.


# 1.28 23-Jan-2009 tteras

branches: 1.28.2;
Remove "fastquit" configure option and make it the default behaviour. The
previous normal behaviour is buggy, as after flush kernel can immediately
create larval SA:s which would prevent exit.


# 1.27 23-Dec-2008 tteras

rewrite local address detection
make some functions static that arr not needed globally
rework how fd_set is construction for the main loop select()


Revision tags: netbsd-5-0-RC1 netbsd-5-base matt-mips64-base2
# 1.26 19-Sep-2008 tteras

branches: 1.26.4;
Implement ISAKMP SA rekeying configurable with rekey {on|off|force} option
in remote conf.


Revision tags: wrstuden-revivesa-base-3 wrstuden-revivesa-base-2
# 1.25 29-Aug-2008 gmcgarry

Eliminate gcc-specific feature of unnamed structures added recently.


Revision tags: wrstuden-revivesa-base-1 wrstuden-revivesa-base
# 1.24 18-Jun-2008 mgrooms

Add an admin port command to retrieve the peer certificate. Submitted by Timo Teras.


# 1.23 18-Jun-2008 mgrooms

Set sockets to be closed on exec to avoid potential file descriptor inheritance issues. Submitted by Timo Teras.


# 1.22 18-Jun-2008 mgrooms

Use utility functions to evaluate and manipulate network port values. No functional changes. Submitted by Timo Teras.


# 1.21 18-Jun-2008 mgrooms

Admin port code cleanup. No functional changes. Submitted by Timo Teras.


Revision tags: yamt-pf42-base4 yamt-pf42-base3 hpcarm-cleanup-nbase yamt-pf42-baseX yamt-pf42-base2 yamt-pf42-base keiichi-mipv6-base matt-armv6-nbase
# 1.20 06-Mar-2008 mgrooms

branches: 1.20.4;
Add the ability to initiate IPsec SA negotiations using the admin socket.
Submitted by Timo Teras.


# 1.19 06-Mar-2008 mgrooms

Refactor admin socket event protocol to be less error prone. Backwards compatibility is provided. Submitted by Timo Teras.


Revision tags: matt-armv6-prevmlocking cube-autoconf-base matt-armv6-base matt-mips64-base hpcarm-cleanup-base
# 1.18 18-Jul-2007 vanhu

branches: 1.18.4; 1.18.8; 1.18.10;
use a single PATH_IPSEC_H to fix some path_to_ipsec.h issues


Revision tags: ipsec-tools-0_7-rc1 ipsec-tools-0_7-RC1 ipsec-tools-0_7-beta3 ipsec-tools-0_7-beta2 ipsec-tools-0_7-beta1 ipsec-tools-0_7-base netbsd-4-base
# 1.17 03-Oct-2006 manu

branches: 1.17.2; 1.17.4; 1.17.6;
fix endianness issue introduced yesterday


# 1.16 02-Oct-2006 manu

Fix memory leak (Coverity 2002)


# 1.15 02-Oct-2006 manu

Fix memory leak (Coverity 2001), refactor the code to use port get/set
functions


# 1.14 02-Oct-2006 manu

Avoid reusing free'd pointer (Coverity 4200)


# 1.13 30-Sep-2006 manu

Do not free id and key, as they are used later


# 1.12 26-Sep-2006 manu

Remove dead code (Coverity)


# 1.11 26-Sep-2006 manu

Fix memory leak (Coverity)


# 1.10 26-Sep-2006 manu

One more memory leak


# 1.9 26-Sep-2006 manu

Fix memory leak in racoonctl (coverity)


# 1.8 09-Sep-2006 manu

Migration of ipsec-tools to NetBSD CVS part 2: resolving the import conflicts.
Since we previously had a release branch and we import here the HEAD of CVS,
let's assume all local changes are to be dumped. Local patches should have
been propagated upstream, anyway.


Revision tags: abandoned-netbsd-4-base
# 1.7 21-Nov-2005 manu

Merge ipsec-tools 0.6.3 import


# 1.6 20-Aug-2005 manu

Update to ipsec-tools 0.6.1


# 1.5 07-Aug-2005 manu

Resolve conflicts caused by recent ipsec-tools-0.6.1rc1 import by prefering
the newer software. Some useful local change might have been overwritten,
we'll take care of this soon.


# 1.4 12-Jul-2005 manu

Don't use adminport when it is disabled


# 1.3 08-May-2005 manu

More NAT-T fixes for the situation where racoon acts as a VPN client
Flush SA and generated SP on DPD timeout and deletion payloads


# 1.2 14-Apr-2005 wiz

all SA -> all SAs.


# 1.1 12-Feb-2005 manu

branches: 1.1.1;
Initial revision


# 1.39 02-Jun-2013 tteras

From Alexander Sbitnev <alexander.sbitnev@gmail.com>: fix admin port
establish-sa for tunnel mode SAs.


# 1.38 08-Dec-2010 tteras

branches: 1.38.4; 1.38.8; 1.38.14;
Use separate SA addresses for phase2's created by admin command. The
phase2 startup overwrites src/dst with ISAKMP ports if they are zero
and we don't want that to happen for the SA ports.


# 1.37 12-Nov-2010 tteras

isakmp_post_acquire is now called from admin commands too, add a flag so
admin commands can be used to establish even passive links on demand.


# 1.36 12-Nov-2010 tteras

Extern admin protocol to allow reply packets to exceed 64kb. E.g SA dumps
with many established SAs can be easily over the limit.


# 1.35 21-Oct-2010 tteras

Introduce priorities for file descriptor polling mechanism and give
priority to admin port. If admin port is used by ISAKMP-SA hook scripts
they should be preferred, other wise heavy traffic can delay admin port
requests considerably. This in turn may cause renegotiation loop for
ISAKMP-SA. This is mostly useful for OpenNHRP setup, but can benefit
other setups too.


# 1.34 21-Oct-2010 tteras

Remove initial-contact entry when all ISAKMP-SA are purged via adminport.
This will avoid stale security associations if some of the delete
notifications happens to get lost.


# 1.33 22-Sep-2010 vanhu

get the correct length of username when processing ADMIN_LOGOUT_USER, patch by rweikusat (at) mssgmbh.com


# 1.32 03-Sep-2009 tteras

When rekeying phase2 use phase1 used to negotiate phase2 as a hint to
select the phase1 for rekeying the new phase2.


# 1.31 03-Jul-2009 tteras

Get rid of the evil CMPSADDR macro. Trac #295.


# 1.30 20-Apr-2009 tteras

Originally from Bin Li: Fix a crash with racoonctl logout user.


# 1.29 12-Mar-2009 tteras

Support multiple anonymous remotes and decide remoteconf based on identity,
received certificates and other information. General code clean up.


# 1.28 23-Jan-2009 tteras

branches: 1.28.2;
Remove "fastquit" configure option and make it the default behaviour. The
previous normal behaviour is buggy, as after flush kernel can immediately
create larval SA:s which would prevent exit.


# 1.27 23-Dec-2008 tteras

rewrite local address detection
make some functions static that arr not needed globally
rework how fd_set is construction for the main loop select()


# 1.26 19-Sep-2008 tteras

branches: 1.26.4;
Implement ISAKMP SA rekeying configurable with rekey {on|off|force} option
in remote conf.


# 1.25 28-Aug-2008 gmcgarry

Eliminate gcc-specific feature of unnamed structures added recently.


# 1.24 18-Jun-2008 mgrooms

Add an admin port command to retrieve the peer certificate. Submitted by Timo Teras.


# 1.23 18-Jun-2008 mgrooms

Set sockets to be closed on exec to avoid potential file descriptor inheritance issues. Submitted by Timo Teras.


# 1.22 18-Jun-2008 mgrooms

Use utility functions to evaluate and manipulate network port values. No functional changes. Submitted by Timo Teras.


# 1.21 18-Jun-2008 mgrooms

Admin port code cleanup. No functional changes. Submitted by Timo Teras.


# 1.20 05-Mar-2008 mgrooms

branches: 1.20.4;
Add the ability to initiate IPsec SA negotiations using the admin socket.
Submitted by Timo Teras.


# 1.19 05-Mar-2008 mgrooms

Refactor admin socket event protocol to be less error prone. Backwards compatibility is provided. Submitted by Timo Teras.


# 1.18 18-Jul-2007 vanhu

branches: 1.18.4; 1.18.8; 1.18.10;
use a single PATH_IPSEC_H to fix some path_to_ipsec.h issues


# 1.17 03-Oct-2006 manu

branches: 1.17.2; 1.17.4; 1.17.6;
fix endianness issue introduced yesterday


# 1.16 02-Oct-2006 manu

Fix memory leak (Coverity 2002)


# 1.15 02-Oct-2006 manu

Fix memory leak (Coverity 2001), refactor the code to use port get/set
functions


# 1.14 02-Oct-2006 manu

Avoid reusing free'd pointer (Coverity 4200)


# 1.13 30-Sep-2006 manu

Do not free id and key, as they are used later


# 1.12 26-Sep-2006 manu

Remove dead code (Coverity)


# 1.11 26-Sep-2006 manu

Fix memory leak (Coverity)


# 1.10 26-Sep-2006 manu

One more memory leak


# 1.9 26-Sep-2006 manu

Fix memory leak in racoonctl (coverity)


# 1.8 08-Sep-2006 manu

Migration of ipsec-tools to NetBSD CVS part 2: resolving the import conflicts.
Since we previously had a release branch and we import here the HEAD of CVS,
let's assume all local changes are to be dumped. Local patches should have
been propagated upstream, anyway.


# 1.7 21-Nov-2005 manu

Merge ipsec-tools 0.6.3 import


# 1.6 19-Aug-2005 manu

Update to ipsec-tools 0.6.1


# 1.5 07-Aug-2005 manu

Resolve conflicts caused by recent ipsec-tools-0.6.1rc1 import by prefering
the newer software. Some useful local change might have been overwritten,
we'll take care of this soon.


# 1.4 12-Jul-2005 manu

Don't use adminport when it is disabled


# 1.3 08-May-2005 manu

More NAT-T fixes for the situation where racoon acts as a VPN client
Flush SA and generated SP on DPD timeout and deletion payloads


# 1.2 14-Apr-2005 wiz

all SA -> all SAs.


# 1.1 12-Feb-2005 manu

branches: 1.1.1;
Initial revision


# 1.1.1.4 08-Sep-2006 manu

Migrate ipsec-tools CVS to cvs.netbsd.org


# 1.1.1.3 07-Aug-2005 manu

Update ipsec-tools to 0.6.1rc1
Most of the changes since 0.6b4 have already been committed to the NetBSD
tree. This upgrade fixes some IPcomp and NAT-T related problems that were
left unadressed in the NetBSD tree.


# 1.1.1.2 23-Feb-2005 manu

branches: 1.1.1.2.2;
Import ipsec-tools 0.6 branch as of 2005/02/23. News from last imported version
according to ipsec-tools' ChangeLog:

2005-02-23 Emmanuel Dreyfus <manu@netbsd.org>

* configure.ac, src/racoon/{Makefile.am|crypto_openssl.c}: optionnal
support for patented algorithms: IDEA and RC5.
* src/racoon/{isakmp_xauth.c|main.c}: don't initialize RADIUS if it
is not required in the configuration
* src/racoon/isakmp.c: do not reject addresses for which kernel
refused UDP encapsulation, they can still be used for non NAT-T
traffic (eg: NAT-T enabled racoon on non NAT-T enabled kernel)

2005-02-18 Emmanuel Dreyfus <manu@netbsd.org>

* src/racoon/{main.c|eaytest.c|plairsa-gen.c}
src/setkey/setkey.c: don't use fuzzy paths for package_version.h

2005-02-18 Yvan Vanhullebus <vanhu@free.fr>

* src/racoon/isakmp_inf.c: Purge generated SPDs when getting a
related DELETE_SA
* src/racoon/pfkey.c: do NOT unbindph12() when SA acquire

2005-02-17 Emmanuel Dreyfus <manu@netbsd.org>

From Fred Senault <fred.letter@lacave.net>
* src/racoon/remoteconf.c: Fix a bug in script init

2005-02-17 Yvan Vanhullebus <vanhu@free.fr>

* src/racoon/ipsec_doi.c: Workaround for phase1 lifetime checks

2005-02-15 Michal Ludvig <michal@logix.cz>

* configure.ac: Changed --enable-natt_NN to --enable-natt-versions=NN,NN


# 1.1.1.1 12-Feb-2005 manu

Import ipsec-tools (tag ipsec-tools-0_6-base in ipsec-tools CVS)
ipsec-tools is a fork from KAME racoon/libipsec/setkey, with many
enhancements.


# 1.1.1.2.2.4 21-Nov-2005 tron

Apply patch (requested by manu in ticket #981):
Update ipsec-tools to version 0.6.3.


# 1.1.1.2.2.3 03-Sep-2005 snj

Apply patch (requested by tron in ticket #741):
Update ipsec-tools to version 0.6.1.


# 1.1.1.2.2.2 12-Jul-2005 tron

Pull up revision 1.4 (requested by manu in ticket #581):
Don't use adminport when it is disabled


# 1.1.1.2.2.1 11-May-2005 tron

Pull up revision 1.3 (requested by manu in ticket #277):
More NAT-T fixes for the situation where racoon acts as a VPN client
Flush SA and generated SP on DPD timeout and deletion payloads


# 1.17.6.3 20-Apr-2009 tteras

Originally from Bin Li: Fix a crash with racoonctl logout user.


# 1.17.6.2 18-Jun-2008 mgrooms

Use utility functions to evaluate and manipulate network port values. No functional changes. Submitted by Timo Teras.


# 1.17.6.1 01-Aug-2007 vanhu

use a single PATH_IPSEC_H to fix some path_to_ipsec.h issues


# 1.17.4.2 04-Sep-2008 skrll

Sync with netbsd-4.


# 1.17.4.1 03-Sep-2007 wrstuden

Sync w/ NetBSD-4-RC_1


# 1.17.2.2 18-Aug-2008 jdc

Upgrade ipsec-tools to release 0.7.1 (requested by manu in ticket #1183).


# 1.17.2.1 28-Aug-2007 liamjfoy

branches: 1.17.2.1.2;
Pull up following revision(s) (requested by manu in ticket #830):

Import ipsec-tools 0.7


# 1.17.2.1.2.1 18-Aug-2008 jdc

Upgrade ipsec-tools to release 0.7.1 (requested by manu in ticket #1183).


# 1.18.10.2 18-Jul-2007 vanhu

use a single PATH_IPSEC_H to fix some path_to_ipsec.h issues


# 1.18.10.1 18-Jul-2007 vanhu

file admin.c was added on branch matt-mips64 on 2007-07-18 12:07:52 +0000


# 1.18.8.1 24-Mar-2008 keiichi

sync with head.


# 1.18.4.1 22-Mar-2008 matt

sync with HEAD


# 1.20.4.2 17-Sep-2008 wrstuden

Sync with wrstuden-revivesa-base-2.


# 1.20.4.1 22-Jun-2008 wrstuden

Sync w/ -current. 34 merge conflicts to follow.


# 1.26.4.1 08-Feb-2009 snj

Apply patch (requested by manu/spz in #378):
Downgrade ipsec-tools to 0.7.1nb1.


# 1.28.2.1 13-May-2009 jym

Sync with HEAD.

Third (and last) commit. See http://mail-index.netbsd.org/source-changes/2009/05/13/msg221222.html


# 1.38.14.1 23-Jun-2013 tls

resync from head


# 1.38.8.1 22-May-2014 yamt

sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")


# 1.38.4.1 02-Jun-2013 tteras

From Alexander Sbitnev <alexander.sbitnev@gmail.com>: fix admin port
establish-sa for tunnel mode SAs.